This vulnerability is an SQL injection and remote code execution (RCE) vulnerability in Fortinet's FortiWeb Fabric Connector, which allows attackers to exploit SQL injection attacks and malicious code execution by inserting malicious SQL injection syntax into the authentication header and sending requests.
This vulnerability has been patched in each version of FortiWeb (7.0.11, 7.2.11, 7.4.8, 7.6.4), and AIWAF addresses it through related SQL injection patterns and its own functionality.
1. Overview
Fortinet's FortiWeb Fabric Connector is a system component that supports integration with FortiWeb web firewalls and other Fortinet products and features.
This report summarizes our analysis of CVE-2025-25257, an SQL injection and RCE vulnerability that recently occurred in this component.
Source : https://securityaffairs.com/179874/security/patch-immediately-cve-2025-25257-poc-enables-remote-code-execution-on-fortinet-fortiweb.html
2. Attack Type
CVE-2025-25257 is an SQL injection vulnerability that exploits the fact that certain functions in Fortinet's FortiWeb Fabric Connector use user input values as-is. By exploiting the fact that the get_fabric_user_by_token() function, used when attempting to connect to external Fortinet devices via the Fabric API,
directly incorporates the Authorization header value into an SQL query, an attacker could attempt to execute malicious SQL injection syntax by sending it in the Authorization header.
__int64 __fastcall get_fabric_user_by_token(const char *a1)
{
unsigned int v1; // ebx
__int128 v3; // [rsp+0h] [rbp-4B0h] BYREF
__int64 v4; // [rsp+10h] [rbp-4A0h]
_BYTE v5[16]; // [rsp+20h] [rbp-490h] BYREF
__int64 (__fastcall *v6)(_BYTE *); // [rsp+30h] [rbp-480h]
__int64 (__fastcall *v7)(_BYTE *, char *); // [rsp+38h] [rbp-478h]
void (__fastcall *v8)(_BYTE *); // [rsp+58h] [rbp-458h]
__int64 (__fastcall *v9)(_BYTE *, __int128 *); // [rsp+60h] [rbp-450h]
void (__fastcall *v10)(__int128 *); // [rsp+68h] [rbp-448h]
char s[16]; // [rsp+80h] [rbp-430h] BYREF
_BYTE v12[1008]; // [rsp+90h] [rbp-420h] BYREF
unsigned __int64 v13; // [rsp+488h] [rbp-28h]
v13 = __readfsqword(0x28u);
*(_OWORD *)s = 0;
memset(v12, 0, sizeof(v12));
if ( a1 && *a1 )
{
init_ml_db_obj((__int64)v5);
v1 = v6(v5);
if ( !v1 )
{
**// VULN
snprintf(s, 0x400u, "select id from fabric_user.user_table where token='%s'", a1);**
[..SNIP..]
Source : https://hackyboiz.github.io/2025/07/19/banda/CVE-2025-25257/
An attacker can perform an SQL injection attack by sending a request that inserts an SQL injection statement using the /**/ syntax into the Authorization header to bypass the response to blank characters.
It is also possible to perform an RCE attack using the INTO OUTFILE syntax.
Example attack request (SQL injection):
GET /api/fabric/device/status HTTP/1.1
Host: www.test.com
Authorization: Bearer AAAAAA'or'1'='1
Example attack Request (SQL Injection + RCE):
GET /api/fabric/device/status HTTP/1.1
Host: www.test.com
Authorization: Bearer '/**/UNION/**/SELECT/**/token/**/from/**/fabric_user.user_table/**/into/**/outfile/**/'../../lib/python3.10/site-packages/x.pth'
3. Response Measures
Fortinet has released a patch for the CVE-2025-25257 vulnerability. Users of FortiWeb, a related product, should check their FortiWeb version and apply the patch for specific versions or higher to respond to this vulnerability.
Our AIWAF product responds appropriately to SQL injection attacks targeting headers through the “View Header” feature.
Source : https://fortiguard.fortinet.com/psirt/FG-IR-25-151
4. Conclusion
Fortinet's FortiWeb web firewall is a globally used web firewall, and CVE-2025-25257, a vulnerability found in this service, is a very classic SQL injection method that targets firewall products and has a significant impact on other customer services, so it is necessary to quickly patch to the latest version.
Our TA team is monitoring vulnerabilities in AIWAF products and plans to respond swiftly to any related vulnerabilities discovered in the future.
